Write-up Codegate 2010 #7 - Decrypting HTTPS SSL/TLSv1 using RSA 768bits with Wireshark

Last week-end, I was a challenger at Codegate 2010 Capture the Flag with team Nibbles. Well organized by Koreans guys (who didn't sleep a lot either ;), the CTF proposed quality challenges and I thought it would be a great subject for a few posts.

Challenge #7 was a network capture file (ssl.pcap) containing an encrypted https session. The hint was: does the modulus look familiar?. The goal is obviously to decrypt the https to find the flag. Let's see how we can do that!

Steps:

1. Extract public certificate
2. Identify encryption
3. Create private certificate
4. Decrypt https

1. Extract public certificate

Launch Wireshark and open the capture file. Browse the packets to the TLSv1 Server hello. Open the SSL layer, expand TLSv1 Record Layer containing certificate, select the certificate and use right-click/Export selected packet bytes to save the X.509 certificate in binary DER as public.der.

2. Identify encryption

Using OpenSSL suite, you can see information contained in certificate:

$ openssl x509 -inform DER -in public.der -text
[...]
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (768 bit)
                Modulus (768 bit):
                    00:ca:d9:84:55:7c:97:e0:39:43:1a:22:6a:d7:27:
                    f0:c6:d4:3e:f3:d4:18:46:9f:1b:37:50:49:b2:29:
                    84:3e:e9:f8:3b:1f:97:73:8a:c2:74:f5:f6:1f:40:
                    1f:21:f1:91:3e:4b:64:bb:31:b5:5a:38:d3:98:c0:
                    df:ed:00:b1:39:2f:08:89:71:1c:44:b3:59:e7:97:
                    6c:61:7f:cc:73:4f:06:e3:e9:5c:26:47:60:91:b5:
                    2f:46:2e:79:41:3d:b5
[...]

The interesting thing here is that the public-key algorithm is RSA, the modulus 768 bits and specifically it's RSA-768 which has been factored!

RSA-768 = 334780716989568987860441698482126908177047
          949837137685689124313889828837938780022876
          14711652531743087737814467999489
          × 3674604366679959042824463379962795263227
          915816434308764267603228381573966651127923
          3373417143396810270092798736308917

Conclusion: we are able to create our own private certificate, valid to decrypt the SSL.

3. Create private certificate

Thanks to Mister P and Q's Excellent Solution to Didier Stevens' Authenticode Challenge, it was really easy.

I used their CreatePEM.cpp, turned it back into a C program, included e_os.h from OpenSSL and added P & Q of RSA-768bits which gave me create_private.c. Make sure you also have OpenSSL development files installed (package libssl-dev on Debian), then compile with:

$ gcc -lssl -o create_private create_private.c

Then run it to generate private.pem, the private certificate in PEM format:

$ ./create_private
$ ls -l private.pem
-rw-r--r-- 1 stalkr stalkr 692 2010-03-15 16:17 private.pem

4. Decrypt https

Open Wireshark preferences file:

• on Linux: ~/.wireshark/preferences
• on Windows: C:\Documents and Settings\<user>\Application Data\Wireshark\preferences

Inform Wireshark that you want it to desegment SSL records and application data, and give it the private certificate for the https server we observed (192.168.100.4):

ssl.desegment_ssl_records: TRUE
ssl.desegment_ssl_application_data: TRUE
ssl.keys_list: 192.168.100.4,443,http,/home/stalkr/codegate/7/private.pem

Fix the path to private certificate accordingly, on Windows use regular slashes /.

Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag.

Interesting challenge isn't it?
Thanks goes to my friend SiD for his help on this challenge.